Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

can it be dome like we allow only linux basd achine to acces the internet throught (squid)proxy and firewall(iptabes)

in my university after a major virus attack on win mahcines ,the administration want to allow internet access only through linux mahcines and keep windows for offline work
this might reduce the chances the virus attacks.of course if they download an attachment in linux which might be virus for windows but at atleast the linux machine will keep on working

so how should we go about it??

one way could be to keep those win machines on a domain ,and allow only restricted acces to those machines for all users so that they cannot change the network settings in windows,

subnets is all i could think of. put all windows systems on a subnet that is not allowed access to the WAN side of your routers. this will also make them basically invisible to your linux boxes unless you give the linux boxes access to that subnet too.

just don't make the micro$oft machines internet enabled. take out their tcp/ip stack, and do all their workgroups via netbeui and samba. all should be able to see all, but without tcp/ip the m$ cannot get access to the net

you do not need the AD to do that. both win2k and XP pro have local security settings. you can make it so that the user (not admin) can not install anything if you want, in fact you can even limit exactly what they can run.

look around in the local security and settings you will find all kinds of security settings in there you can apply to the user accounts. no need for an AD setup with a win2k or 2k3 server running unless you just want to set it up that way.

set them all to run tcp/ip (for "domain" purposes, which is really tied to the internet...) and the linux boxes only to run the ipx/spx stack. then allow that stack only into the default gateway, where there is a proxie server / protocol switcher (linux box or appliance). the ipx/spx (linux netwk data) will be repackaged as tcp/ip for internet. you might need some powerful protocol machines though!!

or just lock down the permissions tighter, like Lleb_KCir said. What Microsoft O$ are you running?

with 9x in the mix you will not be running a full set of AD as 9x does not follow all of the permiessions set down by the AD. you can do the exact same thing in the AD as you can in your local security settings. just do it by OU and place all of your users into that OU to prevent them from getting close to the WAN side of things including removing the ability to open IE or either OE or Outlook.

once you have the users set to lowest level they will NOT be able to install 90% of the software out there, nor will they be able to adjust any of the TCP/IP settings.

THIS IS NOT TRUE FOR WIN9x SYSTEMS. as mentioned above win9x is not going to follow the AD permissions for the OU security or user level you have set. your only option for the win9x boxes is to upgrade them or remove windows from them completly and leave linux only on those older systems.

sadly with roughly 800 boxes you will still have to touch each and every box to implement a lot of this.

1. configure your OU
2. assign the users to that OU
3. configure p/w levels for the users
4. touch every box and lock down the local system to prevent local login and ONLY allow domain level log in.
5. remove floppy drives from all boxes for maxium security. with a floppy drive any and all windows systems can be 100% comprimised in less then 5min by someone who knows what they are doing and 15-20min by a script kiddy.

that should help. sadly that will again leave you touching every box. if the school has batches of simular hardware systems, then i HIGHLY sujest looking into Symantecs GHOST enterprise. this is pricey, but a school might get a substantial discount. with that you will be able to bring down 1 of each hardware setup and rebuild it. make a ghost img, then do a LAN based roll out.

you can also do something simular with RIS in win2k/win2k3 servers, but those are not near as effective and only give you a base level install not a fully secured and locked down system that ghost enterprise will.

you would also need ghostwalker to roll the SIDs on all of the systems before you bring them live to the domain.